In response to the requirements of Title III
of the E-Government Act (Public Law 107-347), titled the Federal Information
Security Management Act (FISMA), ITL recently published NIST Special
Publication (SP) 800-60, Guide for Mapping Types of Information and
Information Systems to Security Categories. Summarized in this ITL
Bulletin, the guide was developed to assist federal government agencies to
categorize information and information systems with respect to a range of levels
of impact or consequences that might result from the unauthorized disclosure,
modification, or loss of availability of the information or information system.
SP 800-60 applies to all federal systems other than national security
systems as defined in FISMA and NIST SP 800-59, Guideline
for Identifying an Information System as a National Security System. SP 800-60 and its appendices:

·Identify information attributes that may result in
variances from the provisional impact level assignment; and

·Describe how to establish a system security
categorization based on the system’s use, connectivity, and aggregate
information content.

SP 800-60 is intended as a reference resource
rather than as a tutorial. Not all of the material will be relevant to all
agencies. SP 800-60 includes two volumes: Volume I is a basic guideline and
Volume II contains appendices. Users should review the guidelines provided in
Volume I, then refer to only the material from the appendices that is
applicable.

The provisional impact assignments
contained in the appendices are only the first step in impact assignment and
subsequent risk assessment processes. The impact assignments are not
intended to be used by auditors as a definitive checklist for information types
and impact assignments.

The primary source for the information types
is the Office of Management and Budget’s Federal Enterprise Architecture
Program Management Office June 2003 publication, The Business Reference
Model Version 2.0 (BRM). The BRM describes functions relating
to the:

-Purpose of government (missions, or services to
citizens),

-Mechanisms the government uses to achieve its purpose (modes
of delivery),

-Support functions necessary to conduct government (support
services), and

-Resource management functions that support all areas of
the government’s business (management of resources).

The information types associated with supportservices and management of resources functions are included in
the management and support types. Some additional information types have
been added at the request of federal agencies. The information types associated
with services to citizens and modes of delivery functions are included
in the mission-based information types.

Volume II lists legal and executive sources
that establish sensitivity and/or criticality characteristics for specific
types of information processed by the federal government. Citations from the
United States Code and Executive Orders are listed in Appendix E.

FIPS 199 defines the security
categories, security objectives, and impact levels to which SP 800-60 maps
information types. FIPS 199 also describes the context of use for this
guideline.

The impact levels for the management and support information
common to many agencies are strongly affected by the mission-based
information with which it is associated. Each organization should review the
provisional information impact levels in the context of its own operational
environment, then accept or revise impact levels accordingly. The impact level
of information can be defined only within the context of an organization’s
operational environment.

Generally, information systems process many types of
information. Not all of these information types are likely to have the same
impact levels. The compromise of some information types will jeopardize system
functionality and agency mission more than the compromise of other information
types. System impact levels must be assessed in the context of system mission
and function as well as on the basis of the aggregate of the component
information types.

FIPS 199 establishes three impact levels relevant to
securing federal information for three security objectives (confidentiality,
integrity, and availability). A loss of
confidentiality is the unauthorized disclosure of information. A loss of
integrity is the unauthorized modification or destruction of information. A loss of availability
is the disruption of access to or use of information or an information
system. The generalized format for expressing the
security category, or SC, of an information type is:

·Identify information systems. An information
system may be a general support system, a major application, or a local or
special purpose system. Agencies should develop their own policies regarding
system identification for security categorization purposes.

·Identify information types. The user should
identify all of the information types that are input, stored, processed, and/or
output from each system.

Select
provisional impact levels. The user should select the provisional
impact levels for each identified information type from Appendices C and
D.

·Review and adjust provisional impact levels. The
user should review the appropriateness of the provisional impact levels
recommended for each information type based on the organization, environment,
mission, use, and connectivity associated with the system under review. After
reviewing the provisional impact levels, adjustments should be made to the
impact levels as appropriate.

Assign
system security category. The user establishes the level of
confidentiality, integrity, and availability impacts associated with the system
under review. The adjusted impact levels for information types are
reviewed with respect to the aggregate of all information processed in or
by each system.

Following completion of the system security categorization
process, the resulting impact level can be used as an input to a system risk
assessment and in selection of the security controls necessary for each system.
The minimum security controls recommended for each system security category
will be found in DRAFT NIST SP 800-53, Recommended
Security Controls for Federal Information Systems.

Identify
any information type processed by the system that is required by statute,
Executive Order, or agency regulation to receive special handling (e.g.,
with respect to unauthorized disclosure or dissemination). This
information may be used to adjust the information type or system impact
level.

Once a set of information types has been selected, the
agency should review the information processed by the system to see if
additional types need to be identified for impact assessment purposes.

Appendix C suggests provisional confidentiality, integrity,
and availability impact levels for management and support information types,
and Appendix D provides examples of provisional impact levels for some
mission-based information types. Where an information type processed by a
system is not categorized by this guideline, an initial impact determination
will need to be made based on FIPS 199 criteria. An agency may identify
information types not listed in SP 800-60 or may choose not to select
provisional impact levels from Appendix C (for management and support
information types) or Appendix D (for mission-based information types).
In such cases, the agency should employ the following criteria to determine
provisional impact levels.

-The
potential impact is low if the loss of
confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.

-The potential impact is moderate if the loss of
confidentiality, integrity, or availability could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.

-The potential impact is high if the loss of confidentiality, integrity,
or availability could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.

Particularly where security categorization impact levels
recommended in Appendix D are adopted as provisional levels, the agency should
review the appropriateness of the provisional impact levels in the context of
the organization, environment, mission, use, and connectivity associated with
the system under review. The confidentiality, integrity, and availability
impact levels may be adjusted one or more times in the course of the review.
Once the review and adjustment process is complete for all information types,
the mapping of impact levels by information type can be finalized. The impact
of compromise of information of a particular type can be different in different
agencies or in different operational contexts. Also, the impact for an information
type may vary throughout the life cycle.

Once the impact levels have been selected for individual
information types processed by a system, it is necessary to assign a system
security category. Determining the security category of an information system
requires additional analysis and must consider the security categories of all
information types resident on the information system. The potential impact
values assigned to each security objective (confidentiality, integrity,
availability) are the highest values (i.e., high water mark) for any one of
these objectives that has been determined for the types of information resident
on the information system.

While the value of not applicable can apply to
specific information types processed by systems, this value cannot be assigned
to any security objective for an information system. There is a minimum
provisional impact (i.e., low water mark) for a compromise of confidentiality,
integrity, and availability for an information system. This is necessary to
protect the system-level processing functions and information critical to the
operation of the information system.

The generalized format for expressing the security category,
or SC, of an information system is:

NIST SP 800-60 is available for download at our Computer
Security Resource Center at http://csrc.nist.gov/publications/.
Other publications mentioned in this bulletin are also available at this
website.

Disclaimer: Any mention of commercial products or
reference to commercial organizations is for information only; it does not
imply recommendation or endorsement by the National Institute of Standards and
Technology nor does it imply that the products mentioned are necessarily the
best available for the purpose.